OVPN export to iOS fails
- 
 Hello, I am at wits end trying to get my openvpn client to connect to my PFSense firewall. I have completed the guide here: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html when i attempt to import the vpn profile on my iphone, i get what is shown in the screen shot. 
  I have tried several different crypto algorithms but nothing seems to work. i have verified that the openvpn service is running on PF Sense seen here: 
  and here is a snip of the crypto config server side. 
  Can someone please help! 
- 
 probably iOS openssl library doesn't support that cipher, 
 try to use AES-128-CBC in the Encryption Algorithm field
- 
  ok, got that working, now it the connection is timing out.... any ideas? I can see the inbound firewall rule for open vpn accepting the traffic. it just does not connect. 
- 
 @havockk This is different connection issue 
 check your Firewall rules and OpenVPN settings,
 post more details - config, log, etc.
- 
  packet capture from WAN interface: 
 18:13:24.100702 10:e8:78:e0:21:d8 > 40:62:31:0a:71:c8, ethertype IPv4 (0x0800), length 128: (tos 0x0, ttl 53, id 28697, offset 0, flags [none], proto UDP (17), length 114)
 [client wan address].1464 > [server wan address].1195: [udp sum ok] UDP, length 8618:13:24.100942 40:62:31:0a:71:c8 > 00:12:1e:22:a3:f0, ethertype IPv4 (0x0800), length 140: (tos 0x0, ttl 64, id 51957, offset 0, flags [none], proto UDP (17), length 126) 
 [server wan address].1195 > [client wan address].1464: [udp sum ok] UDP, length 98When I attempt to capture packets on the openvpn interface, no information is in the output.        Is this enough information? 
- 
 Client profile export persist-tun 
 persist-key
 cipher AES-256-CBC
 ncp-ciphers AES-128-GCM
 auth SHA512
 tls-client
 client
 remote [Server WAN address] 1195 udp4
 verify-x509-name "Home vpn" name
 auth-user-pass
 remote-cert-tls server
 compress
- 
 Bump 
- 
 The difference to my working iOS config (running the latest iOS and OpenVPN app) is this: 
 dev tun
 cipher AES-256-GCM
 ncp-disable
 auth SHA256
 resolv-retry infinite
 remote [Server WAN address] 1195 udp-Rico 
- 
 This works also just fine with all kind of "I" stuff : dev tun 
 tun-ipv6
 persist-tun
 persist-key
 cipher AES-128-GCM
 ncp-ciphers AES-128-GCM
 auth SHA256
 tls-client
 client
 resolv-retry infinite
 remote work.work-domain.tld 1194 udp4
 .....
- 
 Maybe there is a problem with auth SHA512and iOS?-Rico 
- 
 @Rico said in OVPN export to iOS fails: Maybe there is a problem with auth SHA512 and iOS? No since I just set it and worked just fine.. iphone XR running 13.5.1 with openvpn connect 3.1.2 (3096) persist-tun persist-key cipher AES-128-CBC ncp-ciphers AES-128-GCM:AES-192-GCM:AES-256-GCM:AES-128-CBC:AES-192-CBC:AES-256-CBC auth SHA512 tls-client client remote 64.53.x.x 1194 udp4 verify-x509-name "pfsenseopenvpn" name remote-cert-tls server 
- 
 udp4VSudp? :-)-Rico 
- 
 Well not running it on IPv6.. So yeah its set to UDP v4 only... 
- 
 Yeah NM, I see Gertjan is also using udp4 in the config like TO. -Rico 
- 
 Why would I set it for both if I only want it on v4 ;) The export wizard auto does that, since that is how the server instance is set. The wan interface doesn't have v6, so if I wanted to do vpn over ipv6 I would have to setup a different instance via the he tunnel interface. No point in that even though my phone only gets an IPv6 address, it can connect to the IPv4 address just fine.. Many a mobile carrier going that route.. T-mobile only hands out IPv6 for phones atleast here in chicagoland. The one real use of IPv6 currently - supply IPs to the BILLIONS of mobile phones ;) 
- 
 @Rico said in OVPN export to iOS fails: Yeah NM, I see Gertjan is also using udp4 in the config like TO. You bet it is ! 
 I'm actually VPN-into-work just to get my iPhone 'multistacked' ^^
 All this over an UDP IPV4 link of course.



